Code Injection With C++

Preferred implementations

Windows.h is the header file for the Windows API / Using Win32 functions. The Win32 method to remotely inject code is WriteProcessMemory()

The function:
So this block of code not only shows how to remotely inject code, but it also shows how to set memory page rights. Let's disassemble this line by line.
DWORD OLDPROTECT;
This is a DWORD type which will be used in VirtualProtect() for the memory page rights. VirtualProtect() is a Win32 function for setting the rights on a memory page such as READ, WRITE, and EXECUTE. VirtualProtectEx() is extended so that it can set the memory page rights on another process. If the memory page was Read-Only then it can't be written to with WriteProcessMemory() alone, you'd have to set the page rights to writable with VirtualProtectEx().

HWND windh = FindWindow(0, (LPCSTR)"WindowName");
This is a hWnd also known as a window handle, to retrieve the window handle we use FindWindow() FindWindow takes a window class name which is not a requirement if the window name is there or a window name which isn't optional if the window class name is there. FindWindow takes LPCSTR in it's parameters.

DWORD ppid;
This is the DWORD for the Process ID.

GetWindowThreadProcessId(windh, &ppid);
This gets the Thread ID that initialized the window AND the process ID.

HANDLE pproc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ppid);
This creates a Handle of the process and uses the OpenProcess function to set it's access rights and Process ID.

VirtualProtectEx(pproc,(LPVOID)0xMemoryAddress, 1, PAGE_READWRITE, &OLDPROTECT);
This function was already explained above; however, I'll review. VirtualProtectEx() is an extension of VirtualProtect() and writes to the memory page rights of another process.

WriteProcessMemory(pproc,(LPVOID)0xMemoryAddress,M emoryToBeWrittenBytes,sizeof(MemoryToBeWrittenByte s),0);
This is the function for injecting code into another process. WriteProcessMemory(). pproc is the process handle AKA the process it's writing to. (LPVOID)0xMemoryAddress is the memory location it will be written to. Example: 0x00500000. MemoryToBeWrittenBytes is the bytes it will take and write. Example: "\x54\x90"
sizeof(MemoryToBeWrittenBytes) is the size of the bytes being written. Example: "\x54\x90" would be a size of 2, so sizeof(2)
The last parameter is optional.

VirtualProtectEx(pproc,(LPVOID)0xMemoryAddress, 1, OLDPROTECT, &OLDPROTECT);
This sets the memory page back to it's original state, this is great to do because some programs have a red flag for if any changes to a memory page are made.

This sums up basic code injection.

Just give a Feedback if it Helped you ;)

Quote:

Originally Posted by Archelon Code: #include <stdio.h> #include <iostream> #include <stdlib.h> #include <string.h> #include <Windows.h> #include <TlHelp32.h> using namespace std; Windows.h is the header file for the Windows API / Using Win32 functions.

Ok, so windows.h is needed, and for what are all the other headers and that "using namespace std;" (which is the line why nobody here will take you serious :D )? No other headers than windows.h are needed for your snippet.

Quote:

Originally Posted by Archelon Code: HANDLE pproc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ppid); // Sets the process handle with it's access rights

If you open a handle, please close it by using [Only registered and activated users can see links. Click Here To Register...]. That is part of something called "clean programming".

Quote:

Originally Posted by Archelon If the memory page was Read-Only then it can't be written to with WriteProcessMemory() alone, you'd have to set the page rights to writable with VirtualProtectEx().

Wow, I don't know where you find that information but it is just wrong. Look at the WriteProcessMemory implementation within kernelbase and you'll see that calling VirtualProtect before WriteProcessMemory yourself is unnecessary.

Quote:

Originally Posted by Archelon HANDLE pproc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ppid); This creates a Handle of the process and uses the OpenProcess function to set it's access rights and Process ID.

Not wrong, but why using ALL_ACCESS if everything needed is just writing to the process' address space? It's almost always better (and recommended) to use as minimal privileges as possible.

Quote:

Originally Posted by Archelon VirtualProtectEx(pproc,(LPVOID)0xMemoryAddress, 1, PAGE_READWRITE, &OLDPROTECT); This function was already explained above; however, I'll review. VirtualProtectEx() is an extension of VirtualProtect() and writes to the memory page rights of another process.

As I explained above that is unnecessary. But if I would follow your logic that would be wrong, too. Or at least it won't work if you're trying to write code / data over a page change as only one page would be writeable and not the other(s) that you would want to write to.

Quote:

Originally Posted by Archelon WriteProcessMemory(pproc,(LPVOID)0xMemoryAddress,M emoryToBeWrittenBytes,sizeof(MemoryToBeWrittenByte s),0); [...] sizeof(MemoryToBeWrittenBytes) is the size of the bytes being written. Example: "\x54\x90" would be a size of 2, so sizeof(2)

So if I would like to write "\x90\x90\x90\x90\x90", that would be 5 bytes, so I would write "sizeof(5)"? Maybe you don't get what I want to say here. The literal 5 is defined as an integer. An integer has almost always (especially if you work with windows) the size of 4 bytes. So sizeof(5) evaluates almost always to 4, which makes the code just wrong.

Quote:

Originally Posted by Archelon Just give a Feedback if it Helped you ;)

Well, also you didn't help me, I gave you a feedback. Please learn the language and know what you're doing and saying before trying to write (and publish) tutorials.

With best regards
Jeoni

P.S.: If I made any mistakes (except some of my English sentences) on this one, correct me. Thanks.

Well, the amount of your mistakes are terrible in relation to the few written code lines. Also, to be clear: your code reperesents the most primitive injection-technique. Modern programs protect themselves against that possibility by default.